Federal Reports

This report summarizes the results of our fiscal year 2024 Federal Information Security Modernization Act (FISMA) evaluation and assessment of the U.S. Small Business Administration’s (SBA) information security program. Our objectives were to determine whether SBA complied with FISMA and assessed the maturity of controls used to address risks in each of the nine security domains.

We found SBA generally responded to previously identified vulnerabilities and made progress in one of the nine domains, in the area of security training. The agency met the baseline in the area of incident response but fell below the baseline for an effective security program in several areas. We rated SBA’s overall information security program as “not effective.”

This fiscal year there are seven new recommendations for improvement. There are 11 open recommendations from 3 prior evaluations. Repeat recommendations from prior years were not included in this report because they have not yet been implemented. The agency successfully closed four recommendations from fiscal year 2023. SBA managers agreed with six recommendations and partially agreed with one. Their corrective actions resolved all the recommendations.

The audit objectives were to determine whether program funds were managed in accordance with the ARC and Federal grant requirements.

The Office of the Inspector General identified several issues with the use and oversight of the U.S. Nuclear Regulatory Commission’s telework program, including missing telework agreements and inaccurate telework records, both of which are required by law for proper program administration.  Additionally, we found inadequate compliance with documentation standards, which could result in inconsistent adherence to policies and inaccuracies in employee records. Finally, we identified discrepancies in some official duty stations and failure to comply with telework agreement terms, potentially resulting in incorrect locality pay.
This report makes seven recommendations to strengthen the telework program’s document management and oversight processes to ensure full compliance with federal laws and regulations.

At the request of the Tennessee Valley Authority’s (TVA) Supply Chain, we examined the cost proposal submitted by a company for designing, fabricating, and delivering hydraulic turbine runners and components as specified by TVA.  Our examination objective was to determine if the company’s cost proposal was fairly stated for a contract with expenditures up to $175 million.

In our opinion, the company’s proposed (1) hourly manufacturing and labor rates and (2) markup factors for recovery of indirect costs were fairly stated. However, the company’s proposed billing rates for craft labor were overstated.  Specifically, the proposed craft billing rates in the example project included (1) an ineligible sick leave markup, (2) overstated state unemployment insurance markup, and (3) duplicated workers’ compensation insurance markup.  We estimated TVA could avoid about $1.2 million over the potential $175 million contract by negotiating appropriate reductions to the craft labor billing rates.  In addition, we suggest TVA negotiate to include craft labor billing rates in the contract’s rate schedule, including craft markups and cost adders.